Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2023, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230621-en
General
-
Target
file.exe
-
Size
1.2MB
-
MD5
de054f35b1dfd45e5ee2b44dff6eeb52
-
SHA1
4d2135193d9d4d9b697effbd3c6c1b4909ad0dd1
-
SHA256
c50ed0352f86462194d23cc0b3128c28eca1eaa426049abddd58e697e29831cb
-
SHA512
1c448033cef567dd47c6e3a9e7b4d180494134639f41bd5d6c47ee0b871f88c2d79aebd2dce1cedab16ca7de1bd753cb03253ed2e6c5a4fc43b17bd8419b592f
-
SSDEEP
24576:JfOy1uT6bvmvLhpWkisphG1CNUS25yL2BvwsXOcnNUWCMW6:JGbu6/WMphGID5L/cvT
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1364 is-613QT.tmp 2144 RejSpacer72.exe -
Loads dropped DLL 1 IoCs
pid Process 1364 is-613QT.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-9HQDE.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-EP408.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-SGSJS.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-ULL30.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-APR4V.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\is-CIG3T.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-Q0V85.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-5LF4H.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-C5P62.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-TF7MB.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-QNFRR.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-77IGE.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\is-R28GJ.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-MLC45.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-U0M8I.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-P78QH.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\is-KEGO9.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-TTEGN.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-M0HGK.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-24OI1.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-BI2TI.tmp is-613QT.tmp File opened for modification C:\Program Files (x86)\RejSpacer72\RejSpacer72.exe is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\is-SKLNL.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-29M6A.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-TQ1PK.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Config\is-FMM35.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Config\is-0I39U.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-EQJQN.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-53VNC.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-KS6P1.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-FDRA3.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-FVRK5.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\is-QN88S.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\is-MJ0M5.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Config\is-5562B.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-NIE0S.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-EC1SO.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-9AEBL.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-HQAP5.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-TUMMF.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-7TUUE.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-NQOTN.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-G5KJF.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-FBORA.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-S2UBO.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-QM2ID.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-VEGNK.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-QPL67.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-HCUE5.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-853F9.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Config\is-SATDB.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-6J2CR.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-JGV4D.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-1GBE8.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-MPCRK.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-F9MOR.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\is-APBMT.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-AIT7N.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-E02F0.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-N5ICB.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-I8LMM.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-CVU1T.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-F3PH9.tmp is-613QT.tmp File created C:\Program Files (x86)\RejSpacer72\Skins\Blue\is-4JUKR.tmp is-613QT.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1352 wrote to memory of 1364 1352 file.exe 85 PID 1352 wrote to memory of 1364 1352 file.exe 85 PID 1352 wrote to memory of 1364 1352 file.exe 85 PID 1364 wrote to memory of 856 1364 is-613QT.tmp 86 PID 1364 wrote to memory of 856 1364 is-613QT.tmp 86 PID 1364 wrote to memory of 856 1364 is-613QT.tmp 86 PID 1364 wrote to memory of 2144 1364 is-613QT.tmp 87 PID 1364 wrote to memory of 2144 1364 is-613QT.tmp 87 PID 1364 wrote to memory of 2144 1364 is-613QT.tmp 87 PID 856 wrote to memory of 3796 856 net.exe 89 PID 856 wrote to memory of 3796 856 net.exe 89 PID 856 wrote to memory of 3796 856 net.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\is-FORG0.tmp\is-613QT.tmp"C:\Users\Admin\AppData\Local\Temp\is-FORG0.tmp\is-613QT.tmp" /SL4 $D0034 "C:\Users\Admin\AppData\Local\Temp\file.exe" 956692 737282⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 23⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 24⤵PID:3796
-
-
-
C:\Program Files (x86)\RejSpacer72\RejSpacer72.exe"C:\Program Files (x86)\RejSpacer72\RejSpacer72.exe"3⤵
- Executes dropped EXE
PID:2144
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5e9cdf5c3a4aa27f2d4fb1b9981a1ffc3
SHA11215f1d3c32ed05664c6588ef59d13b4456ea01e
SHA2568ccb51fa9da80be70b9fa4425e239bb26773d2c91ca613b09d5d55e408f20ffe
SHA512528bc87d9d2dbdb7e640168a40a98253d2b0addb9431c3af99d33a0c08b5db633098d060ddb7b737769d2e8c4f516a5c2553f24b931bae1d904f2a2886146cb3
-
Filesize
1.1MB
MD5e9cdf5c3a4aa27f2d4fb1b9981a1ffc3
SHA11215f1d3c32ed05664c6588ef59d13b4456ea01e
SHA2568ccb51fa9da80be70b9fa4425e239bb26773d2c91ca613b09d5d55e408f20ffe
SHA512528bc87d9d2dbdb7e640168a40a98253d2b0addb9431c3af99d33a0c08b5db633098d060ddb7b737769d2e8c4f516a5c2553f24b931bae1d904f2a2886146cb3
-
Filesize
4KB
MD5ce494d2d223aed950fea67f657d3fa3e
SHA197a19c02487c41e3a079cd6764afffeb5e838b26
SHA256c8fa111c5b9537e3b6cab9ba763e164e27fa469f2232b82a54b206a7d892b9e9
SHA512687bf3bd7de28dc45ea622672dc59d7e45d9ce83530a7db6462447ea247a9bde061738c454e09b48531aab9cce802c8491aa730e4da65e63daf31c65ffc39fe1
-
Filesize
664KB
MD5ce35b2dad10a0e6d5e016772efb75ad2
SHA1ac38173e753c499655ba566493e3c3ff71878d92
SHA25631f933169e44b127e3f0a80077a088ed208c2504773a084bfca4de2f53b839c6
SHA512cdd97e8bbf568e9d6d6708bb427f3ce9d5433d320cd577e1e7bab1154c224efbb3960a24980ceec3e2bf471c72caf2309b13e7075c3216f6d43072d277a6642c
-
Filesize
664KB
MD5ce35b2dad10a0e6d5e016772efb75ad2
SHA1ac38173e753c499655ba566493e3c3ff71878d92
SHA25631f933169e44b127e3f0a80077a088ed208c2504773a084bfca4de2f53b839c6
SHA512cdd97e8bbf568e9d6d6708bb427f3ce9d5433d320cd577e1e7bab1154c224efbb3960a24980ceec3e2bf471c72caf2309b13e7075c3216f6d43072d277a6642c
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63